Further Reading

No patch available yet for critical bug affecting all supported versions of IE.

The attacks were hosted on the Syrian Ministry of Justice website at hxxp://jpic.gov.sy and were detected on seven computers located in Syria, leading to theories that the campaign targeted dissidents complaining about the government of President Bashar al-Assad, according to a blog post published Monday by researchers from antivirus provider Kaspersky Lab. The attacks exploited a previously unknown vulnerability in Flash when people used the Firefox browser to access a booby-trapped page. The attackers appear to be unrelated to those reported on Sunday who exploited a critical security bug in Internet Explorer, a Kaspersky representative told Ars.

While the exploit Kaspersky observed attacked only computers running Microsoft Windows, the underlying flaw, which is formally categorized as CVE-2014-1776 and resides in a Flash component known as the Pixel Bender, is present in the Adobe application built for OS X and Linux machines as well. Adobe has updated all three versions to plug the hole. Because security holes frequently become much more widely exploited in the hours or days after they are disclosed, people on all three platforms should update as soon as possible. People using IE 10 and 11 on Windowws 8 will receive the update automatically, as will users of Google's Chrome browser. It can sometimes take hours for the automatic updates to arrive. Those who are truly cautious should consider manually installing them. Windows users with Firefox installed must run a separate update for both IE and the Mozilla browser.

Kaspersky Lab researcher Vyacheslav Zakorzhevsky said the attacks were carried out in two separate exploits and were detected as early as April 9 by a general heuristic signature in the company's AV network. Both of the SWF files are able to bypass security mitigations built in to Flash and Microsoft Windows, including Windows 8, he said. One of the exploits, embedded in a file titled include.swf, is designed to target computers that have the Cisco Systems MeetingPlace Express Add-In version 5x0 installed. The app is used to view documents and images during Web conferences.

"We are sure that all these tricks were used in order to carry out malicious activity against a very specific group of users without attracting the attention of security solutions," Zakorzhevsky wrote. "We believe that the Cisco add-in mentioned above may be used to download/implement the payload as well as to spy directly on the infected computer."

He continued:

When we entered the site, the installed malware payloads were already missing from the "_css" folder. We presume the criminals created a folder whose name doesn’t look out of place on an administration resource and where they loaded the exploits. The victims were probably redirected to the exploits using a frame or a script located at the site. To date, April 28, the number of detections by our products has exceeded 30. They were detected on the computers of seven unique users, all of them in Syria, which is not surprising considering the nature of the site. Interestingly, all the attacked users entered the website using various versions of Mozilla Firefox.

It’s likely that the attack was carefully planned and that professionals of a pretty high caliber were behind it. The use of professionally written 0-day exploits that were used to infect a single resource testifies to this.

Moreover, while the first exploit is pretty standard and can infect practically any unprotected computer, the second exploit (include.swf) only functions properly on computers where Adobe Flash Player 10 ActiveX and Cisco MeetingPlace Express Add-In are installed. The Flash Player Pixel Bender component, which Adobe no longer supports, was used as the attack vector. The authors were counting on the developers not finding a vulnerability in that component and that the exploit would remain active for longer. All this suggests that the attackers were not targeting users en masse.

Further Reading

The exploitation of critical vulnerabilities by state-sponsored or state-motivated adversaries has grown increasingly common in recent years. Most notable examples include the Stuxnet, Flame, and Red October malware campaigns. A raft of other smaller campaigns have regularly targeted the Macs and Windows PCs belonging to dissidents of China and other countries as well as private companies and government agencies, although many such attacks don't rely on previously unknown vulnerabilities in widely used products.

Promoted Comments

Just a quick reminder for those here unfamiliar with modern versions of IE: Flash (even the embedded version in IE 10 and 11) can be global disabled by turning on ActiveX Filtering. I also recommend running with Enhanced Protected Mode enabled with 64-bit process support also turned on. This sandboxes the desktop browser just as tightly as the Metro browser.

Iirc Firefox has a built-in plugin blocker. If you go to addons then plugins and change it to "Always ask" then it will ask before loading up flash.

Does using this feature activate flash for the entire page? The thing I like about flashblock is, for instance if there are 5 flash elements on a page you can select which ones you want to activate. Flash elements that are "floating" somewhere you wouldn't expect, or in an uninteresting region of the page can be left inactive.

How does using Firefox protect people against these exploits? As mentioned in the second paragraph: "The attacks exploited a previously unknown vulnerability in Flash when people used the Firefox browser to access a booby-trapped page."

I only suggest firefox because I have experience with the "flashblock" addon. It puts an icon where the flash element would be. If you want to activate the flash element, you click the icon. Sites can also be white-listed. Perhaps other browsers have similar addons? I simply don't have experience with them.

Flash elements will not play automatically for a given page. This helps avoid "booby traps." Of course, if you activate the booby trap, you are still vulnerable.

The same or a similar plugin exists for Chrome, fwiw. Shows up in the address bar, to the right side, and you can click to allow, whitelist, or blacklist.

Plugins need to be sandboxed up the wazoo. They should run in their own processes so they can't compromise the browser's memory, run as some minimally privileged "idiot" user, have no disk I/O without the plugin container authenticating it, and still have no disk I/O outside of some plugin-specific folder. Obviously we can't trust Flash to be secure so we should rely on the browser and OS instead.

No, not really. Gnash hasn't actually so much as had a release in years, is only sort compatible with some of current ActionScript or SWF v8/v9 let alone anything more modern, etc. The fundamental issue is that if you have an actual serious application you need Flash for (in my case one of my banks) then ancient, partial compatibility won't do, might as well just have a dedicated sandbox for it. VMs and WINE and the like are available and constantly improved. And for everything else, Flash is obsolete anyway and if someone was going to the trouble to write for an alternative they might as well go whole hog and just use HTML5 & JS instead (and in some cases mobile apps as well). So the raison d'etre for these sorts of efforts has kind of gone away. Video was one of the big cited uses for Gnash as an example, but that's been effectively dealt with at this point thanks to the rise of mobiles.

Anyway, result is that interest (and in turn resources) for alternatives seems to have mostly dried up. Why bother doing the huge amount of work necessary for something that, far from being a format of the future, most hope will vanish outside of stand-alone legacy as quickly as reasonably possible?

I wish all the 'techno-anarchists' who protest employee shuttle buses would focus some of their efforts on shutting this place down:

It seems I can't go a week now without having to install a new version of Flash, closing and relaunching all my browser windows in the process (some of which I have open as a reference for other projects).

I used to be a loyal Adobe customer ten years ago. Now I can't stand them.

I totally agree. You would think that even the legendary Shakespeare Writing Monkeys, could product a set of code to "Display" things (Flash, PDF reader) that should be "safe". I am convinced it is outside of the competence of the employees of Abobe.

Maybe the alleged Apple/Adobe anti-poaching agreement was Job's attempt to keep Adobe down, because I can't see a good reason for another of the alleged co-conspirators would want to recruit from them.

How does using Firefox protect people against these exploits? As mentioned in the second paragraph: "The attacks exploited a previously unknown vulnerability in Flash when people used the Firefox browser to access a booby-trapped page."

I only suggest firefox because I have experience with the "flashblock" addon. It puts an icon where the flash element would be. If you want to activate the flash element, you click the icon. Sites can also be white-listed. Perhaps other browsers have similar addons? I simply don't have experience with them.

Flash elements will not play automatically for a given page. This helps avoid "booby traps." Of course, if you activate the booby trap, you are still vulnerable.

Iirc Firefox has a built-in plugin blocker. If you go to addons then plugins and change it to "Always ask" then it will ask before loading up flash.

That's what I have on all my Firefox installs: Flash is set to "Always ask" instead of "Always activate". I didn't do it for security, though--it was to cut down on the plethora of Flash nuisances on the web.

Flash really needs to die as quickly as possible. The worst offenders are websites which insist that you install and use Flash for something, but they somehow magically work on an iPad.

An example: I visited Volvo's website yesterday, both on my desktop (Firefox 28, Linux) and my iPad Air. On the Air, the car configurator was simply an HTML5 app that ran fine. On my desktop though, it asked to activate Flash (Firefox is set to ask first for plugins).

I tried disabling Flash completely to hide the fact I had Flash installed, the configurator threw an error message saying Flash wasn't installed and I need to install it to use the configurator. WTF? It works fine on my iPad, it should work on my desktop without Flash!

I then used the user agent switcher to spoof the browser as being an iPad, and surprise surprise it worked perfectly. Not only that, the HTML5 configurator was far easier to use and less janky than the Flash version. My question for the designers of Volvo's website is thus - if you have a perfectly solid HTML5 replacement for what was a Flash object and it performs better, why the damn hell are you sniffing the browser's user agent and forcing the Flash version on desktop users?

Just a quick reminder for those here unfamiliar with modern versions of IE: Flash (even the embedded version in IE 10 and 11) can be global disabled by turning on ActiveX Filtering. I also recommend running with Enhanced Protected Mode enabled with 64-bit process support also turned on. This sandboxes the desktop browser just as tightly as the Metro browser.

So I would just like to know what it's like for anyone who's done this:

What's it like browsing the internet without Flash installed? Every day I get more and more tired of it between the constant impending doom exploits that are announced for it, Adobe constantly nagging me about updates, as well as Firefox pooping out because of a broken Flash script when I hit pause on a video stream.

Is the internet still serviceable without it?

Yes and no. I can read the news, go do forum stuff and the majority of the social networking functions in the world. Until there are videos. At which point I go shit, and switch to a browser bundled with Flash. Moreover, YouTube's HTML5 player has vanished for me. So life got significantly harder.

Also simple flash games obviously don't work as do advertisements that use flash. So there's that.

No, not really. Gnash hasn't actually so much as had a release in years, is only sort compatible with some of current ActionScript or SWF v8/v9 let alone anything more modern, etc. The fundamental issue is that if you have an actual serious application you need Flash for (in my case one of my banks) then ancient, partial compatibility won't do, might as well just have a dedicated sandbox for it. VMs and WINE and the like are available and constantly improved. And for everything else, Flash is obsolete anyway and if someone was going to the trouble to write for an alternative they might as well go whole hog and just use HTML5 & JS instead (and in some cases mobile apps as well). So the raison d'etre for these sorts of efforts has kind of gone away. Video was one of the big cited uses for Gnash as an example, but that's been effectively dealt with at this point thanks to the rise of mobiles.

Anyway, result is that interest (and in turn resources) for alternatives seems to have mostly dried up. Why bother doing the huge amount of work necessary for something that, far from being a format of the future, most hope will vanish outside of stand-alone legacy as quickly as reasonably possible?

Shumway is a free HTML5/JS implementation of the SWF file format. The project is still in the experimental phase, but it has some potential if it gains enough interest.

Worth noting, is that most of the ad-blocking extensions out there will also allow you to block/filter/whitelist Flash content. Some extensions like Ghostery will let you replace flash videos with a "click-to-play" button, so you have more control over when and where it plays.

Youtube junkies can enable "html5 playback when possible" by going to this site while logged in with google account. If your browser doesn't support all of the categories, it may default to using the flash player.https://www.youtube.com/html5

No, they're completely different bugs residing in Flash and IE respectively. Note that while the attackers exploiting CVE-2014-1776 were somehow abusing Flash and VML to bypass ASLR, DEP or other security mitigations in Windows, the attacks otherwise appear to be unrelated and, according to Kaspersky, were carried out by different actors.

Me, unfortunately. It sucks ass, it doesn't play nice with fullscreen video when using a compositor like compton, but it's the only thing that's reliable with getting videos (mainly YouTube) to play properly. For some reason, 1080p doesn't seem to be an option for HTML5.

I've stopped installing Flash or Adobe Reader by default. I have a Mac and use Safari. I have the Developer menu up, and if I need to do something with Flash or Reader, I go to the Developer menu and select "Open URL in Google Chrome".

I'm counting on Chrome to install the latest Flash, to use sandboxing to keep damage limited, and to be complex enough that I'll say screw this about 80% of the time and skip my whole immersive Flash experience.

I wish all the 'techno-anarchists' who protest employee shuttle buses would focus some of their efforts on shutting this place down:

It seems I can't go a week now without having to install a new version of Flash, closing and relaunching all my browser windows in the process (some of which I have open as a reference for other projects).

I used to be a loyal Adobe customer ten years ago. Now I can't stand them.

Welcome to the Windows XP of Adobe. Prior to SP2, XP was a massive cluster of patch after patch after patch. Then someone decided enough was enough. SP2 did a good job of streamlining XP in a number of catagories along with better QC on patch release. MS realized they had a fundamental problem, and for the most part fixed it as best they could in XP.

Adobe is now in the same boat: sink or swim. They are either going to continue to flounder and make companies ditch Flash at an ever increasing pace, or they are going to step up and get their security crap under control. Considering how they seem to be shrugging when it comes to Flash. I'm pretty sure they are going to shrug and just keep patching until no one gives a crap about the platform. Considering how they abandoned Android, would anyone be surprised at that choice?

Just a reminder to Chrome users: turn on Click to Play (see the section "run or block plug-ins") for all plug-ins. The second or two it takes to click something when you actually know you want it to run is beyond worth not having Flash/etc chugging away in 40 tabs simultaneously from ads or just random shit that you wouldn't have had running if you'd had the choice.

You can always whitelist specific sites to auto-run like normal if you need, but that's tremendously rare in my experience. This also helps deal with issues with Java, if you still have that installed too.

I agree with some other commenters, Adobe used to be one of my favorite companies. In recent years they are working hard to piss me off. Too-frequent patching and the subscription model for their software soured me on them. If you own a few pieces of their software it seems you can't turn on your PC without a patch request from them. Kind of like the PS3 used to be, lol.

I wish all the 'techno-anarchists' who protest employee shuttle buses would focus some of their efforts on shutting this place down:

It seems I can't go a week now without having to install a new version of Flash, closing and relaunching all my browser windows in the process (some of which I have open as a reference for other projects).

I used to be a loyal Adobe customer ten years ago. Now I can't stand them.

Not only that, they try to foist McAfee crapware on you. The "install" block is checked by default. Grrrr....

Chrome is my radioactive, Flash sandbox. I haven't had Flash installed in ages. It can be slightly irritating at times, and there are several restaurants I don't go to because they have a Flash-based menu I can't see (oh well), but then articles/news like this just reinforce that Flash is the Real Media Player of the internet now.,,|, Eat it Adobe.

It seems I can't go a week now without having to install a new version of Flash, closing and relaunching all my browser windows in the process (some of which I have open as a reference for other projects).

I share this frustration, but FWIW I just ran the update on two windows 7 boxes running Firefox and was pleasantly surprised at NOT having to restart the browser. Not sure when that changed or if it's just a fluke.

The real problem for flash compatibility is the requirement to eat an LSO, a flash cookie. It's not all that common, but some site's authentication systems won't work unless you can eat that cookie. Video isn't such a big deal for me ( but I do enjoy Colbert on Comedy Central, which is very flash dependent last I tried). The trouble for me is not being able to log in on some sites because I'm blocking flash.

I wish all the 'techno-anarchists' who protest employee shuttle buses would focus some of their efforts on shutting this place down:

It seems I can't go a week now without having to install a new version of Flash, closing and relaunching all my browser windows in the process (some of which I have open as a reference for other projects).

I used to be a loyal Adobe customer ten years ago. Now I can't stand them.

Not only that, they try to foist McAfee crapware on you. The "install" block is checked by default. Grrrr....

Man I updated Flash a couple weeks ago and completely missed the install block for McAfee-- only to have ALL of my A/V software (Avast and MalwareBytes) start freaking the hell out, shit went slower than molasses uphill in january-- I open my task manager, and what do I see? Friggin' Norton! Cue hour long removal process...

On linux, you get Flash updates in the repository. No way in hell would any linux disty feed you crapware.

What we need is for Firefox (and maybe others?) to stop nagging us when we don't have Flash installed and Flash content is detected on a page. There should be "Don't ask me ever again to install Flash Player" button.

No, they're completely different bugs residing in Flash and IE respectively. Note that while the attackers exploiting CVE-2014-1776 were somehow abusing Flash and VML to bypass ASLR, DEP or other security mitigations in Windows, the attacks otherwise appear to be unrelated and, according to Kaspersky, were carried out by different actors.

Then I think the article is wrong. It is talking about 1776 when it should be referencing 0515.

What we need is for Firefox (and maybe others?) to stop nagging us when we don't have Flash installed and Flash content is detected on a page. There should be "Don't ask me ever again to install Flash Player" button.

There is. Right there in the nag popup. Click the little arrow and a menu opens up.

Adobe is now in the same boat: sink or swim. They are either going to continue to flounder and make companies ditch Flash at an ever increasing pace, or they are going to step up and get their security crap under control. Considering how they seem to be shrugging when it comes to Flash. I'm pretty sure they are going to shrug and just keep patching until no one gives a crap about the platform. Considering how they abandoned Android, would anyone be surprised at that choice?

Keep in mind this company has not one, but two malware delivery platforms: Flash and Reader.